$30 off During Our Annual Pro Sale. View Details »

OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

bungoume
August 05, 2017
Technology
29
10k

 OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

osqueryの紹介
https://builderscon.io/tokyo/2017/session/ce1bf3ee-33bd-4899-897d-ba3c4364c1c5

bungoume

August 05, 2017
Tweet

More Decks by bungoume

See All by bungoume
djangocongressjp2023_password_hash
bungoume
2
690
日経電子版でのDjango活用事例紹介 / djangocongressjp2022-nikkei
bungoume
4
2.8k
CircleCIの活用事例とCI高速化/circleci-community-meetup3-speedup
bungoume
3
1.3k
Password Hashing djangocongress 20180519
bungoume
5
3.5k
日経電子版のアプリ開発を 支えるログ活用術/nikkei-log-201609
bungoume
1
1.1k
Kibanaで秒間1万件のアクセスを可視化した話/nikkei-kibana-loganalyst2015
bungoume
20
16k
uwsgi-docker-pycon2015
bungoume
11
57k
Ansibleを結構使ってみた/ansible-nikkei-2015
bungoume
32
14k
Dynamic Inventoryと参照変数
bungoume
2
4.6k

Other Decks in Technology

See All in Technology
dbt Coreとdbt-athenaによるAWS上のdbt環境構築ナレッジ
nayuts
0
220
CSSパフォーマンスに関する計測結果
poteboy
3
1.2k
ココナラでエンジニアマネージャーをやってみた!
coconala_engineer
1
110
LLMを活用した爆速アウトプットのすゝめ / bakusoku-outputs-with-llm
yuya4
8
4k
uGUI の自動操作の考え方と操作方法
orgachem
PRO
0
490
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
6
5.2k
kintone テクニカルライター採用ピッチ資料
cybozuinsideout
PRO
0
720
サービスの1等地ホーム画面改善と効果的なステークホルダーマネジメント / Improvement of Prime Location Home Screen for Services and Effective Stakeholder Management
rilmayer
0
160
開発生産性の多角的接点〜1,000名のクリエイター組織 × 開発生産性〜 / Multifaceted touchpoints of development productivity
i35_267
3
470
LLMエンジニアリングを加速させるソフトウェアアーキテクチャ
tkikuchi1002
0
470
分散ストレージはすごいぞ
sat
PRO
1
140
Azure OpenAI Serviceの採用と挑戦 - Azure AI Hub meetup #1
cimadai
1
270

Featured

See All Featured
Building Your Own Lightsaber
phodgson
97
5.4k
GraphQLの誤解/rethinking-graphql
sonatard
45
8.7k
The Pragmatic Product Professional
lauravandoore
23
5.4k
Code Reviewing Like a Champion
maltzj
511
38k
Adopting Sorbet at Scale
ufuk
66
8.2k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
The Brand Is Dead. Long Live the Brand.
mthomps
48
6.5k
How to Ace a Technical Interview
jacobian
272
22k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.3k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Build your cross-platform service in a week with App Engine
jlugia
223
17k

Transcript

  1. 1
    OSSͰ࢝ΊΔ
    ηΩϡϦςΟϩάऩू
    ക࡚ ༟ར
    builderscon tokyo 2017

    View Slide

  2. 2
    ࣗݾ঺հ
    ക࡚ɹ༟ར (Yuri Umezaki)
    DevOps: ϩά෼ੳɾݕࡧAPIɾΠϯϑϥ؅ཧ
    Python, Elasticsearch, Docker

    View Slide

  3. 3
    Ξϯέʔτ
    ɾ։ൃऀ
    ɾӡ༻ɺΠϯϑϥ؅ཧऀ
    ɾηΩϡϦςΟΤϯδχΞ
    ͋ͳͨͷۀ຿ʹ͍ۙͷ͸

    View Slide

  4. 4
    ηΩϡϦςΟڴҖ
    վ͟Μɾ৘ใྲྀग़
    ϥϯαϜ΢ΣΞ etc…
    ɾ಺෦ෆਖ਼
    ɹ(ૢ࡞ϛε)
    ϑΝΠΞ΢Υʔϧ
    IDS/IPS/WAF
    αʔό(ػີσʔλ)



    ͳͲ
    ɾ֎෦߈ܸ
    ڴҖ͸֎෦ͱ಺෦
    ྆ํʹજΉ

    View Slide

  5. ɾ཈ࢭɿࢥ͍ͱͲ·ΒͤΔ
    5
    ηΩϡϦςΟରࡦͷ෼ྨ
    ɾ༧๷ɿΞΫηε੍ޚͳͲ
    ɾݕ஌ɿ໰୊Λݕग़ɺ෮چͷख͕͔ΓΛه࿥
    ɾ෮چɿෆਖ਼ͷ͋ͬͨલʹ໭͢
    Ұൠʹ4ͭʹ෼ྨ
    ཈ࢭɾ༧๷ͱ͍ͬͨ๷ޚͷରࡦ͕ଟ͍

    View Slide

  6. 6
    ৵ೖ΁ͷؾ͖ͮํ
    ɾࣾ಺ͷਓ͕ෆ৹ͳ఺ʹؾ෇͘
    ɾ֎෦ͷ਌੾ͳϗϫΠτϋοΧʔ͔Βͷ࿈བྷ
    ɾϢʔβ͔Βͷ໰͍߹ΘͤͰൃ֮
    ɾ߈ܸऀࣗ਎͕ڭ͑ͯ͘ΕΔ ←
    ໿൒਺͕֎෦͔Βͷࢦఠ*ͱ͍͏࿩΋
    * FireEye M-Trends 2017: ηΩϡϦςΟ৵֐͓ΑͼαΠόʔ߈ܸͷ೥ؒτϨϯυ
    https://www.fireeye.jp/current-threats/annual-threat-report/mtrends.html

    View Slide

  7. 7
    ֎෦߈ܸͷݕग़
    ɾΞΫηεϩά΍IDS౳Ͱෆ৹ͳ௨৴Λݕग़
    ɾϗετܕηΩϡϦςΟ੡඼Ͱݕ஌
    ֎ͱαʔόͷதؒ੡඼Ͱ͋Δఔ౓कΒΕ͍ͯΔ
    ࠷ޙ͸ϗετʢαʔόࣗମʣͰݕग़͢Δ͔͠ͳ͍
    αʔόͰ΋࠷௿ݶͷϩά͸ऩू͓͖͍ͯͨ͠

    View Slide

  8. 8
    ಺෦ෆਖ਼ͷݕग़
    ɾ୭͕͍ͭαʔόʹϩάΠϯ͍ͯ͠Δ͔
    ɾαʔόͰԿΛ͍ͯ͠Δ͔(ૢ࡞ϩά)
    γεςϜ؅ཧऀͷೝূϩά͕ॏཁ
    ·ͣ͸αʔόͰͷೝূɾૢ࡞ϩάΛऩू͍ͨ͠

    View Slide

  9. 9
    ૢ࡞ϩάͲ͏औΔʁ
    ɾbash history
    ɾscriptίϚϯυ
    ɾpsacct
    ɾaudit
    ؆୯ʹه࿥ఀࢭɾॻ͖׵͑Ͱ͖ͯ͠·͏
    Ҿ਺ͳͲ͕֬ೝͰ͖ͳ͍,ίϚϯυ໊௕੍ݶ
    ؂ࠪϩάͱͯ͠ྑͦ͞͏

    View Slide

  10. 10
    audit log
    # systemctl start auditd
    # auditctl -a always,exit -F arch=b64 -S execve
    ls ͚ͩͰෳ਺ߦϩά͕ग़Δ
    ύʔε͠ʹ͍͘…
    /var/log/audit/audit.log

    View Slide

  11. 11
    audit logΛ׆༻͍ͨ͠
    ɾgo-audit
    Slack੡ͷauditlogΛ͍͍ײ͡ʹύʔε͢Δπʔϧ
    ɾElastic Beats
    Filebeat 5.4(2017/5/4) ΑΓauditlogͷύʔα௥Ճ!
    ɾosquery
    ↑ࠓճ͸͜Ε
    ࢲͷ஌͍ͬͯΔൣғͰ͸ҎԼͷύʔα͕ศརͦ͏

    View Slide

  12. 12
    osquery
    Facebook੡ͷϚγϯঢ়گ֬ೝπʔϧ
    ɾSQLͰ࣮ߦதͷϓϩηεɺϩάΠϯঢ়گͳͲ͕֬ೝͰ͖Δ
    osqueryi
    ɾεέδϡʔϧ࣮ߦͰϩάΛग़͠ɺ؂ࢹʹ΋ར༻Ͱ͖Δ
    osqueryd
    ɾLinux͚ͩͰͳ͘ɺwindows, macͰ΋ར༻Մೳ
    ஫: OSʹΑͬͯऔΕͳ͍छྨ͕͋Γ·͢ɻaudit events͸Ubuntu,CentOSͷΈ

    View Slide

  13. 13
    osquery
    2017/8/3 ݱࡏ githubͷstar͸9501
    Linux Security Tools (Top 100) *ͷ10൪໨ʹ঺հ
    * https://linuxsecurity.expert/security-tools/top-100/

    View Slide

  14. 14
    Linux Security Tools (Top 100)
    * https://linuxsecurity.expert/security-tools/top-100/

    View Slide

  15. 15
    ࿅श: macͰosquery
    $ brew install osquery

    View Slide

  16. 16
    ࿅श: macͰosquery
    chrome֦ுͳͲ·Ͱ෼͔Δ

    View Slide

  17. 17
    LinuxͰosqueryd
    vim /etc/osquery/osquery.conf
    osqueryΛఆظ࣮ߦͯ͠ϩάʹग़ͯ͠ΈΔɹ
    service osqueryd restart

    View Slide

  18. 18
    osquerydͷϩά
    /var/log/osquery/osqueryd.results.log
    ʹϩά͕JSONͰॻ͖ग़͞ΕΔ

    View Slide

  19. 19
    audit events
    ֎෦ͱͷ௨৴ཤྺΛऔΔͳΒsocket_events΋
    vim /etc/osquery/osquery.conf

    View Slide

  20. 20
    audit events
    /etc/osquery/osquery.flags ʹҎԼΛهࡌ
    socket_eventsΛऔಘ͢Δ৔߹͸
    ΋ඞཁ

    ʢ஫:͜ͷΦϓγϣϯΛ͚ͭΔͱCPU࢖༻཰͕૿͑Δʣ

    View Slide

  21. 21
    process_events ϩά
    lsͷ࣮ߦϩά

    View Slide

  22. 22
    socket_events ϩά

    View Slide

  23. 23
    ϑΝΠϧ੔߹ੑ؂ࢹ
    ࡞੒/มߋ/࡟আΛϑΝΠϧ΍ύε୯ҐͰ؂ࢹ
    vim /etc/osquery/osquery.conf

    View Slide

  24. 24
    ϑΝΠϧ੔߹ੑ؂ࢹ ϩά
    AIDE,OSSEC,Tripwire ͋ͨΓͷ୅ସʹͳΔ͔΋
    echo “message” >> /etc/test ޙͷϩά

    View Slide

  25. 25
    osquery ৭ʑऔΕΔ!
    ೝূɾૢ࡞ϩάΛऔΔ໨తͰܾΊ͚ͨͲ

    ϗετܕIDSͱͯ͠े෼ػೳͦ͠͏
    υΩϡϝϯτ΋ॆ࣮
    ίϚϯυ׳Εͯͳ͍ਓʹ΋࢖͍΍͍͢ʢ͔΋ʣ
    εέδϡʔϧ࣮ߦͰ͖Δ
    ݁Ռ͕JSONͰు͖ग़͞ΕΔͷͰ׆༻ָ͕ʢॏཁʣ

    View Slide

  26. 26
    osquerydͷ࢓૊Έ(ͬ͘͟Γ)
    ಺෦Ͱ͸RocksDBͱ͍͏key-valueܕσʔλετΞΛར༻
    https://code.facebook.com/posts/1411870269134471/how-rocksdb-is-used-in-osquery/
    osqueryd͸ఆظΫΤϦΛ࣮ߦ࣌

    લճͷ݁Ռ͕RocksDBʹ֨ೲ͞Ε͍ͯͳ͍͔νΣοΫ͢Δ
    ɾσʔλ͕ͳ͍৔߹
    - ͢΂ͯͷߦΛදࣔ͠ɺ݁ՌΛ֨ೲ
    ɾҎલͷ݁Ռ͕DBʹ͋Δ৔߹
    - 2ͭͷσʔληοτΛൺֱ͠ɺࠩ෼Λग़ྗ

    View Slide

  27. 27
    osquerydͷ࢓૊Έ(ͬ͘͟Γ)
    ఆظ֬ೝͷؒʹมߋͯ͠໭ͨ͠Β௨஌͞Εͳ͍ͷͰ͸ʁ
    ϑΝΠϧ੔߹ੑ؂ࢹʹ͍ͭͯ
    Event-based monitoringͳͷͰมߋͷ৘ใ͕อ࣋͞ΕΔ
    (fileͰ͸inotify͓ΑͼFSEventsΛ࢖༻)

    View Slide

  28. 28
    ԿΛ؂ࢹର৅ʹ͢Δ͔(Ұྫ)
    ɾೝূϩάʢϩάΠϯΠϕϯτʣ
    ɾૢ࡞ϩά
    ɾ௨৴ϩά
    ɾϋʔυ΢ΣΞ઀ଓϩά

    View Slide

  29. 29
    ԿΛ؂ࢹର৅ʹ͢Δ͔(୺຤)
    ɾChrome, firefoxͷplugin
    ɾ֦ுػೳʹϚϧ΢ΣΞ͕ೖΔέʔε͕ۙ೥໰୊ʹ
    ɾhomebrew౳ϥΠϒϥϦͷҰཡ
    ɹɾ༗໊ॴͱࣅ໊ͨલͷϚϧ΢ΣΞ͕npmͰݟ͔ͭΔ
    HTTP Headers ͱ͍͏ 5ສਓ͕࢖͍ͬͯΔ Chrome ֦ுͷϚϧ΢ΣΞٙ࿭
    http://blog.clock-up.jp/entry/2016/11/03/http-headers-malware
    npmjs.com Ͱஶ໊ιϑτ΢ΣΞʹΑ͘ࣅ໊ͨલͷϚϧ΢ΣΞ͕େྔʹൃݟ͞Εͨ
    http://gfx.hatenablog.com/entry/2017/08/02/131537

    View Slide

  30. 30
    Pack
    osquery_monitoring
    it_compliance, incident_response
    osx-attacks, vuln-management
    osqueryʹ͸ΫΤϦύοΫ΋༻ҙ͞Ε͍ͯΔ
    hardware-monitoring

    View Slide

  31. 31
    osquery.conf ઃఆྫ
    ·ͣ͸Pack + ࢖͏ͱ͜Ζ͔Β

    View Slide

  32. 32
    Logrotate΋๨Εͣʹ
    ݁ߏͳϩάͷྔʹͳΔͷͰɺlogrotate͸ඞཁ
    /etc/logrotate.d/osqueryd
    dailyͩͱਏ͍͜ͱ΋͋ΔͷͰhourly͕ྑ͍͔΋

    View Slide

  33. 33
    ϩάΛूΊΔ
    S3

    View Slide

  34. 34
    FluentdͰύʔε
    JSONͳͷͰfluentdͰͷύʔε͕؆୯

    View Slide

  35. 35
    Elasticsearch΁ϩάอଘ

    View Slide

  36. 36
    ϢʔβͷίϚϯυཤྺ

    View Slide

  37. 37
    sshdϩάΠϯࢼߦ

    View Slide

  38. 38
    ϩάͷ࢖͍ํɺӡ༻
    ElasticsearchʹϩάೖΕ͓͚ͯ͹ɺ
    Elastalert΍WatcherΛར༻ͯ͠
    ҟৗͳૢ࡞΍஫ҙ͕ඞཁͳίϚϯυΛݕࡧ/௨஌Մೳʹ

    View Slide

  39. 39
    νϟοτπʔϧʹ௨஌
    ϩάΠϯΠϕϯτΛSlackʹ௨஌͢Δ
    ௨஌͕͋ͬͨΒ࣮ߦऀ͕֬ೝίϝϯτ͢Δ͜ͱͰ
    ͩΕ͕ɾ͍ͭɾͲ͏͍͏໨తͰαʔόૢ࡞͍ͯ͠Δ͔

    ৘ใڞ༗ͱ(Ұछͷ)ଟཁૉೝূ͕Ͱ͖Δ

    View Slide

  40. 40
    ஫ҙ఺ͳͲ
    ɾosqueryͷ։ൃ͸׆ൃ
    ɹɾҎલ͸Disk IO͕૿͑Δόά͕͋ͬͨ(मਖ਼ࡁ)
    ɾϝϞϦ͸100MB΄Ͳফඅ
    ɾsocket؂ࢹΛ༗ޮʹ͢ΔͱCPUΛফඅ(5%ఔ౓?)
    ɾosqueryd͸εέδϡʔϧํࣜ
    ɹɾϩάॻ͖ग़͠Ͱ׬શੑ͸গ͠ऑ͍
    ɹɾgo-auditͳͲπʔϧΛ૊Έ߹Θͤͯ࢖͍·͠ΐ͏

    View Slide

  41. 41
    OSSͰ࢝ΊΔ
    ηΩϡϦςΟϩάऩू
    ക࡚ ༟ར
    builderscon tokyo 2017

    View Slide

  42. 42
    OSS osqueryͰ࢝ΊΔ
    ηΩϡϦςΟϩάऩू
    ക࡚ ༟ར
    builderscon tokyo 2017

    View Slide

  43. 43
    ·ͱΊ
    ɾηΩϡϦςΟӡ༻ෛՙ͕গͳ͍ܗͰશମઃܭ͢Δ
    ɾ༏ઌ౓ͷߴ͍ϩά͔Β׆༻͍ͯ͘͠
    ɾϩάͷվ͟Μ΍ϩετΛճආ͢Δػߏ΋ݕ౼͠Α͏
    ɾ߈ܸͷ༧๷΍෮چ΁ͷखॱཱ֬΋େ੾

    View Slide

  44. 44
    osquery͸ۜͷ஄ؙͰ͸ͳ͍
    ૊Έ߹Θͤͯར༻͠·͠ΐ͏
    osqueryೖΕͯOKͰ͸ͳ͘

    View Slide

  45. 45
    osquery ೔ຊͰ΋࢖͍͖ͬͯ·͠ΐ͏

    View Slide